Edit...
| Mode: Description | Advantage / Disadvantage |
| Read from Last File Position where the file
is a Windows EventLog: The policy reads only new—appended—entries written in the EventLog while the policy is enabled on the managed node. If the EventLog decreases in size between readings, then the entire EventLog is read. EventLog entries that are added to the EventLog when the policy is disabled are not processed by the policy. If the agent stops, all entries written to the monitored EventLog while the agent is not running will be processed after the agent restarts. Choose this option if you are concerned only with EventLog entries that occur when the policy is enabled. |
Advantage: No chance of reading the same
entry twice. (Unless the EventLog decreases in size because some
entries were deleted.)
Disadvantage: Entries written to the EventLog while the policy is disabled will not be processed by the policy. |
| Read from Last File Position where the file
is a text log file: The policy reads only new—appended—entries written in the log file while the policy is enabled on the managed node. If the log file decreases in size between readings, then the entire log file is read. Log file entries that are added to the log file when the policy is disabled are not processed by the policy. Choose this option if you are concerned only with log file entries that occur when the policy is enabled. |
Advantage: No chance of reading the same
entry twice. (Unless the log file decreases in size because some
entries were deleted.)
Disadvantage: Entries written to the log file while the policy is disabled or the agent is not running will not be processed by the policy. |
| Read from Begin (First Time) where the file
is a text log file or a Windows EventLog: The policy reads the complete log file each time the policy is enabled or the agent restarts on the managed node. This ensures that all entries in the log file are compared with the rules in the policy. Each successive time that the policy reads the log file, only new (appended) entries in the log file are processed. Choose this option if you want to ensure that every existing and future entry in the log file will be processed by the policy while it is enabled. |
Advantage: Every existing and future entry
in the log file will be processed by the policy.
Disadvantage: Duplicate entries can occur if an enabled policy is disabled and reenabled, or if the agent stops and restarts. |
| Read from Begin (Always): Where the file is
a text log file: (This mode is not available for the Windows Event Log policy type.) The policy reads the complete log file every time it detects that the log file has changed. The policy scans the log file at the specified polling interval. If no change is detected, the log file is not processed. Any logfile entries overwritten while the agent is not running or the policy is disabled will not be evaluated by the policy. Choose this option if you are monitoring a log file that is overwritten, rather than appended. |
Advantage: Ensures that log files that are
overwritten are correctly processed.
Disadvantage: Only valid for log files that are overwritten, rather than appended. |
Edit...Related Topics: